openSUSE 15.1 – Leap

The following pages go into some details on what is new in this openSUSE release. Too much information? Check out the Feature highlights instead.

Base operating system

Linux kernel

Leap 15.1 will use the 4.12 Linux Kernel. Graphics hardware supported by the 4.19 Linux Kernel were backported for the release of Leap 15.1, which and supports more graphics drivers for Graphics Processing Unit (GPU) and better support for AMD Vega cards. The kernel switches to CONFIG_PREEMPT_VOLUNTARY https://bugzilla.suse.com/show_bug.cgi?id=1125004

A prominent feature list and intricate details can be found on kernelnewbies.org.

Hardware Support

Leap 15.1 works with X86_64 and deployment scenarios can be run for physical, virtual, host and guest, and cloud. Ports to other architectures like ARM64 and POWER will be available from the community.

GNU Compiler Collection

GNU Compiler Collection 8 is available in addition to GCC 7.

General Improvements

The ipa-pure-const pass is extended to propagate the malloc attribute, and the corresponding warning option -Wsuggest-attribute=malloc emits a diagnostic for functions which can be annotated with the malloc attribute.

Profile driven optimization improvements:

New infrastructure for representing profiles (both statically guessed and profile feedback) which allows propagation of additional information about the reliability of the profile.

A number of improvements in the profile updating code solving problems found by new verification code.

Static detection of code which is not executed in a valid run of the program. This includes paths which trigger undefined behavior as well as calls to functions declared with the cold attribute. Newly the noreturn attribute does not imply all effects of cold to differentiate between exit (which is noreturn) and abort (which is in addition not executed in valid runs).

-freorder-blocks-and-partition, a pass splitting function bodies into hot and cold regions, is now enabled by default at -O2 and higher for x86 and x86-64.

Link-time optimization improvements:

We have significantly improved debug information on ELF targets using DWARF by properly preserving language-specific information. This allows for example the libstdc++ pretty-printers to work with LTO optimized executables.

A new option -fcf-protection=[full|branch|return|none] is introduced to perform code instrumentation to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. Currently the instrumentation is supported on x86 GNU/Linux targets only. See the user guide for further information about the option syntax and section "New Targets and Target Specific Improvements" for IA-32/x86-64 for more details.

The -gcolumn-info option is now enabled by default. It includes column information in addition to just filenames and line numbers in DWARF debugging information.

The polyhedral-based loop nest optimization pass -floop-nest-optimize has been overhauled. It's still considered experimental and may not result in any runtime improvements.

Two new classical loop nest optimization passes have been added. -floop-unroll-and-jam performs outer loop unrolling and fusing of the inner loop copies. -floop-interchange exchanges loops in a loop nest to improve data locality. Both passes are enabled by default at -O3 and above.

The classic loop nest optimization pass -ftree-loop-distribution has been improved and enabled by default at -O3 and above. It supports loop nest distribution in some restricted scenarios; it also supports cancellable innermost loop distribution with loop versioning under run-time alias checks.

The new option -fstack-clash-protection causes the compiler to insert probes whenever stack space is allocated statically or dynamically to reliably detect stack overflows and thus mitigate the attack vector that relies on jumping over a stack guard page as provided by the operating system.

Networking

Leap 15.1 will now use Network Manager by default for both laptops and desktops; previously only laptops defaulted to Network Manager. Server installations will continue to default to Wicked. A change that applies to both Wicked and Network Manager is that /etc/resolv.conf, yp.conf and some other files are a link to a file in /run, which are updated by netconfig. This release has added a few popular WiFi drivers for more modern wireless chipsets; the benefits of which reflect the dynamic use of WiFi and with setting up Virtual Private Networks.

Security

Leap 15.1 has received all necessary backports and uses the same Enterprise Linux Kernel that SUSE uses. Leap has -fstack-clash-protection, which was important for a “Stack Clash” vulnerability that exposed other distributions.

dehydrated / letsencrypt

Dehydrated is a client for letsencrypt. The SUSE integration provides templates for Apache, nginx and lighttpd. It also supports DNS-based issuance including support for wildcard certificates.

Dehydrated is a client for signing certificates with an ACME-server (currently only provided by Let’s Encrypt) implemented as a relatively simple bash-script.

It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed.

systemd

Leap 15.1 has systemd version 234. This is the same version that was in Leap 15.0. The following info pertains to the 234 version:

Support for dynamically creating users for the lifetime of a service has been added. If DynamicUser=yes is specified, user and group IDs will be allocated from the range 61184..65519 for the lifetime of the service. They can be resolved using the new nss-systemd.so NSS module. The module must be enabled in /etc/nsswitch.conf. Services started in this way have PrivateTmp= and RemoveIPC= enabled, so that any resources allocated by the service will be cleaned up when the service exits. They also have ProtectHome=read-only and ProtectSystem=strict enabled, so they are not able to make any permanent modifications to the system.

MemoryLimit= and related unit settings now optionally take percentage specifications. The percentage is taken relative to the amount of physical memory in the system (or in case of containers, the assigned amount of memory). This allows scaling service resources neatly with the amount of RAM available on the system. Similarly, systemd-logind's RuntimeDirectorySize= option now also optionally takes percentage values.

In similar fashion TasksMax= takes percentage values now, too. The value is taken relative to the configured maximum number of processes on the system. The per-service task maximum has been changed to 15% using this functionality. (Effectively this is an increase of 512 → 4915 for service units, given the kernel's default pid_max setting.)

The SystemCallFilter= unit file setting gained support for pre-defined, named system call filter sets. For example SystemCallFilter=@clock is now an effective way to make all clock changing-related system calls unavailable to a service. A number of similar pre-defined groups are defined. Writing system call filters for system services is simplified substantially with this new concept. Accordingly, all of systemd's own, long-running services now enable system call filtering based on this, by default.

A new service setting MemoryDenyWriteExecute= has been added, taking a boolean value. If turned on, a service may no longer create memory mappings that are writable and executable at the same time. This enhances security for services where this is enabled as it becomes harder to dynamically write and then execute memory in exploited service processes. This option has been enabled for all of systemd's own long-running services.

The unified cgroup hierarchy added in Linux 4.5 is now supported. Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to enable. Also, support for the "io" cgroup controller in the unified hierarchy has been added, so that the "memory", "pids" and "io" are now the controllers that are supported on the unified hierarchy.

A new command "systemctl revert" has been added that may be used to revert to the vendor version of a unit file, in case local changes have been made by adding drop-ins or overriding the unit file.

PHP 7

PHP7 is a server-side HTML embedded scripting language designed primarily for web development but also used as a general-purpose programming language. The 7.2.5 version found in both Leap 15.1 and 15.0 package the standard implementation of PHP, namely Zend PHP. Included are the PHP command-line binary and the configuration file (php.ini). This package must be installed in order to use PHP. Additionally, extension modules and server modules (e.g. for Apache) may be installed. Additional documentation is available in package php-doc.

OpenStack

Leap 15.1 has multiple OpenStack packages to give administrators control of large pools of compute, storage, and networking resources.

The openstack-utils package is a utilities to aid the setup and configuration of OpenStack packages.

openstack-config - Manipulate the openstack ini files
openstack-db - Setup or delete the database for a specified service
openstack-demo-install - Setup all services on a single node for testing
openstack-status - Give an overview of the status of installed services

OpenStack RPM macros are needed to build OpenStack packages and packages like openstack-suse pulls in various other utility packages that are mainly useful
for OpenStack packaging. Some are even only used at build-time.

Printing System

Leap 15.1 has CUPS 2.2.7. CUPS is a modular printing system which allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. CUPS consists of a print spooler and scheduler, a filter system that converts the print data to a format that the printer will understand, and a backend system that sends this data to the print device. CUPS uses the Internet Printing Protocol (IPP) as the basis for managing print jobs and queues. It also provides the traditional command line interfaces for the System V and Berkeley print systems, and provides support for the Berkeley print system's Line Printer Daemon protocol and limited support for the server message block (SMB) protocol. CUPS comes with a built-in web-based interface.

Containers

Leap 15.1 is filled with several containerization technologies like Singularity, which bring containers and reproducibility to scientific computing and the high-performance computing (HPC) world. Singularity first appeared in the Leap distribution in Leap 42.3 and provides functionality to build smallest minimal containers and runs the containers as single application environments. Another official package in Leap 15.1 is libcontainers-common, which allows the configuration of files and manpages shared by tools that are based on the github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo.

Office and Groupware

Libreoffice

LibreOffice is a free and open source office suite, a project of The Document Foundation. LibreOffice is a comprehensive office package featuring a word processor, a spreadsheet, a presentation program, and much more.

More information about the below new features included in the LibreOffice version in Leap 15.1 can be found in the Release Notes:

Basic list styles were added to the Styles submenu in the Context Menu. tdf#85940

Add insert page number option to header and footer menus. tdf#92685

It is now possible to generate a signature line using Insert ▸ Signature Line

Localized setting are now fixed, but you may still see unexpected values if you either changed these settings manually in the past, or even if you merely keep using a pre-existing user installation. In either case, please check whether these settings have appropriate values now for you, and change them if necessary in the Tools ▸ Options dialog:

Tools ▸ Options ▸ Writer ▸ General ▸ Settings ▸ Tab stops should default to 7.4 mm for Chinese (locale “zh-CN”) and to 12.5 mm for all other locales.
Tools ▸ Options ▸ Writer ▸ AutoCaption ▸ Caption Order should default to “Numbering first” for Hungarian (locale “hu”) and to “Category first” for all other locales.

Calc

Ability to save a Calc file to Excel 2003 XML format has been moved from the File ▸ Save menu to File ▸ Export menu. The Excel 2003 XML format is selected from a list of formats available on the save as dialog.

Image handling in Calc has been much improved

Images anchored to Calc cells can now be sorted.

Anchor types have been reworked tdf#114552. There are now three choices:

Anchor to cell -> Image will just move with the cell (new)
Anchor to cell (resize with cell) -> Image will move and resize with the cell
Anchor to page -> independent of any cells

When resizing images with the cell, the aspect ratio is now considered. This only works when the image fits into its cell. If it's larger than the cell, the start and end cell are always kept.

Inserted images are again anchored to cell by default. By default they only move with the cell, and don't resize.

Now, when the cursor is in on the last non-protected cell of the column in a protected sheet and moves with the Enter key, it return to the first non-protected cell of the next column. This works in the opposite direction if the Shift key is used too.

Highlight color customization.

Impress and Draw

Draw's menus were reorganized and with the addition of a new Page menu.

Fix incorrect bracket / parentheses order in right-to-left paragraph in Impress, judging the writing direction of the text from the paragraph instead of the content alone.

New Drawing Styles and clean-up of legacy styles.

ThunderBird

Mozilla Thunderbird is a free email application that’s easy to set up and customize. It’s loaded with great features. Leap 15.1 ships with Thunderbird 60. Some new features in Thunderbird 60 are:

When writing a message, a delete button now allows the removal of a recipient. This delete button is displayed when hovering the To/Cc/Bcc selector.

Light and Dark themes

WebExtension themes are now enabled in Thunderbird

Browsers and Web Search

Chromium

Firefox

Firefox is created by Mozilla, a global non-profit organization dedicated to putting individuals in control online. Leap 15 ships version with the Extended Support Release (ESR) of Firefox 60. The ESR has a two cycles (at least 12 weeks) overlap between the time of a new release and the end-of-life of the previous release to permit testing and certification prior to deploying a new version. Maintenance of each ESR, through point releases, is limited to high-risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities. Backports of any functional enhancements and/or stability fixes are not in scope.

Desktop Environments

Enlightenment

Enlightenment window manager and desktop environment is really fast, configurable and beautiful. This package will provide the latest released version of enlightenment, as opposed to e16 or e17. Enlightenment 0.22.3 is a bugfix and stability release for the Enlightenment 22 Release series. It is the same version found in the first release of Leap 15.

GNOME

GNOME 3.26 (codename Manchester) is in Leap 15.1 once again. There were a number of highly visible visual refinements for GNOME 3.26 that included more of a smoother windows transition when maximizing, unmaximizing or when snapped to one half of the screen. GNOME 3.26 introduced a new layout to the Settings application. The previous grid of icons are gone and, in its place, a sidebar allows switching between different areas. The new sidebar makes it much easier and quicker to navigate the settings application and places the most commonly used settings within easy reach. It also means that the Settings window is now bigger and can be resized, which is more comfortable in a lot of situations.

Support for machines that have two graphics cards is now provided. If you have this hardware and switcheroo-control installed, you can select which GPU to use when launching an application. Settings will also give information on both graphics cards.
GNOME 3.26

In Web, the GNOME browser, it’s now possible to synchronize your bookmarks, passwords and browser history, using the Firefox Sync service. This makes it possible to keep an online backup of this information and also to share it with Firefox desktop and mobile.

KDE and Qt

Qt 5

Qt 5 was updated to version 5.9.7, in addition to a behaviour change improving support for HiDPI and mixed-DPI environments.

Plasma

Plasma 5.12 LTS is the second long-term support release from the KDE Plasma team. Leap 15.1 includes the same LTS version. The team have been working hard, focusing on speed and stability for this release. Boot time to desktop has been improved by reviewing the code for anything which blocks execution. The team has been triaging and fixing bugs in every aspect of the codebase, tidying up artwork, removing corner cases, and ensuring cross-desktop integration. For the first time, we offer our Wayland integration on long-term support, so you can be sure we will continue to provide bug fixes and improvements to the Wayland experience.

Compared to the version of Plasma 5.12 in 15.0, this release contains improvements for handling HiDPI configurations.

Frameworks

KDE Frameworks are over 70 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. The newer KDE Frameworks had made changes to several packages including Baloo, Breeze Icons, Extra CMake Modules, KActivities, KCodecs, KConfig, KIO, Kirigami, KRunner, KWayland and more.

15.1 updates KDE Frameworks to version 5.55, with some backports of bugfixes in later releases.

Applications

KDE Applications were updated to version 18.12.3 with many new features and usability improvements.

openSUSE technologies

Snapper

Snapper can now report the unique used space for each snapshot. See this blog post for more details.

YaST

Installer improvements

openSUSE Leap 15.1 will be the first multi-purpose operating system to support a full standard Linux installation experience in Raspberry Pi. No custom specific ISO to install from, no precooked image to be just copied to the system... just taking the standard unmodified openSUSE ISO image for ARM and installing like you would do in any other computer. For more details and some useful tips, see the corresponding section in the YaST Team blog.

More generally, now it's possible to setup a password-less system out of the box by specifying during installation the SSH key that will be used to authenticate the root user.

The default partitioning proposal has been improved a lot to behave better in several scenarios that were not so nicely supported in Leap 15.0. That includes small disks, systems with several disks or systems making use of Intel Rapid Start Technology.

In addition, now it's possible to choose with a single click during installation the network backend (wicked vs NetworkManager) to be used in the final installed system.

YaST Look & Feel

The overall appearance of YaST in Leap 15.1 has received a small revamp. Starting with a new set of icons, not only in the YaST Control Center but also inside all the YaST modules, with the Partitioner being one of the most clear examples.

During installation, the sidebar displaying the whole installation work-flow and indicating the current step is back, making the installation greener again!

Also related to the look & feel area but in the text-mode (ncurses) interface, the support for CJK languages as also been enhanced by using fbiterm. This also affects somehow users of other (non-CJK) languages because it implies the usage of a different console font. See more details in this section of the YaST Team blog.

New YaST Functionality

The management of system services in YaST has been revamped to take advantage of many of the features offered by Systemd in that area. That includes management of socket-activated services or a more tight integration with the Systemd journal. For more details, check this blog post and its follow-up.

Firewalld replaced SuSEfirewall2 as the default openSUSE firewall in Leap 15.0. Now YaST is fully adapted and the YaST Firewall module can be used to tweak the Firewalld configuration. As always, both in graphical and text mode (unlike other tools available to configure Firewalld).

The YaST Configuration Management module, which enables integration of (Auto)YaST with configuration management systems like Salt or Puppet, has been greatly improved in Leap 15.1. Specially its support for SUMA Salt Parametrizable Formulas. Check this blog entry to know why this is so great and how it works.

In addition to making possible to specify the SSH key of the root user during installation (see subsection above), YaST can now manage SSH keys for all users in its classical "User and Group Management" module.

The Partitioner can now directly format full disks, create software MD
RAIDs on top of disks without partitions, create partitions within a software-defined MD RAID and many others combinations. See the section titled Changes in the Partitioner UI to Unleash the Storage-ng Power in the YaST Team blog for a full review including several screenshots and videos.

In addition to opening new possibilities with the already supported technologies, the YaST Partitioner offers now the possibility to setup bcache devices. See more details in its dedicated blog post.

AutoYaST

AutoYaST has not been left behind in any of the changes done to the other parts of YaST. This version includes support for the whole functionality added to the YaST Partitioner (from direct usage of disks to bcache and everything in between), support for specifying SSH keys for authenticating the users, a new syntax to indicate which services should be started on demand (socket activation) and the possibility to configure Firewalld. See details about all these functionalities in the YaST section.

Moreover, AutoYaST features seamless integration with the YaST Configuration Management module, in order to combine AutoYaST with Salt (or any other supported configuration management system) to enjoy the best of both worlds.

Applications

Multimedia

VLC

VLC 3.0.6 is the second version of the "Vetinari" branch for this popular media player. VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols. VLC 3 activates hardware decoding by default to get 4K and 8K playback. The newer minor version fixes an important crash from 3.0.5. The following items were added in the 3.0.6 version:

GNU Health

We have added a setup-script for GNU Health called openSUSE-gnuhealth-setup, to ease the setup of a new system for less experienced users.

In case you are upgrading GNU Health from an earlier version, make sure you follow the documentation in /usr/share/doc/packages/gnuhealth/upgrade

As usually, GNU Health is available on the Raspberry Pi as well!

OnionShare

OnionShare is a Python-Application that allows you to securely share files over the Tor-Network.

Syncthing

Users can now share files with an even more stable and reliable Syncthing! The decentralized sharing software now has gained support for Go 1.12, providing API changes for developers, more integration with Docker and an undergoing work to fully support TLS 1.3 in version 1.1.1.

What else is new

An entirely new graphics stack update is available with the stable community- and enterprise-based open-source GNU/Linux distribution, Leap 15.1. Graphics hardware supported by the 4.19 Linux Kernel were backported for the release of Leap 15.1, which supports more graphics drivers for Graphics Processing Unit (GPU) and better support for AMD Vega cards.

GPU virtualization has become quite popular among vendors like AMD, Intel and Nvidia and Leap 15.1 helps to delivers these implementation and support solutions for virtualized and cloud environments.

Java

Support for AES Encryption with HMAC-SHA2 for Kerberos 5 Defined in RFC 8009

The Kerberos 5 encryption types of aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192 defined in RFC 8009 are supported. These encryption types are enabled by default. The default order of preference is "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5."

Users can use the default_tkt_enctypes and default_tgs_enctypes settings in the krb5.conf file to modify the list.

GNU Octave

Scientists, Engineers and Developers can now work with GNU Octave version 5.1, which includes tons of bugfixes, improved API and commands alignment with Matlab's and HiDPI support for the plotting system.

matrix.org synapse server

Matrix.org’s reference server – Synapse 0.28.1 is included. The version includes a security update for the following:

Clamp the allowed values of event depth received over federation to be [0, 2^63 - 1]. This mitigates an attack where malicious events injected with depth = 2^63 - 1 render rooms unusable. Depth is used to determine the cosmetic ordering of events within a room, and so the ordering of events in such a room will default to using stream_ordering rather than depth (topological_ordering). This is a temporary solution to mitigate abuse in the wild, whilst a long solution is being implemented to improve how the depth parameter is used. Full details at https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI

Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API.

Pagure Git hosting forge server

The Pagure Git hosting forge server software is included for the first time.

Pagure provides an easy, customizable, lightweight solution to setting up your own full-featured Git repository server. It is similar to other popular Git-based forges, allowing developers and contributors to share and collaborate on code and content. However, it also has some unique features not found in any other Git forge providing the basis for decentralized, federated software code hosting and development.

Version 5.5 is included and an openSUSE-flavored theme is provided as the default.

DNF package manager

DNF is a next-generation dependency resolver and high-level package management tool that traces its ancestry to two projects: YUM (Yellowdog Updater, Modified) and libsolv. DNF was forked from YUM several years ago in order to rewrite it to use libsolv and to massively restructure the codebase so that a sane API would be available for both extending DNF (via plugins and hooks) and building applications on top of it (such as graphical frontends and system lifecycle automation frameworks).

DNF provides the following over YUM: a maintained and documented Python API, enhanced problem reporting, advanced tracking of weak dependencies, support for rich dependencies, and more detailed transaction information while performing actions.

The DNF Python API is stable and supported, while the underlying libdnf and hawkey APIs (both C and Python) are unstable, and will likely change in future releases.

DNF is currently not configured with openSUSE repositories for software management by default.